Execute INSERT/UPDATE/DELETE in dry-run mode - actually runs the SQL within a transaction, captures REAL results (exact row counts, actual errors, before/after data), then ROLLBACK so nothing persists. More accurate than mutation_preview. Use this to verify mutations will work correctly before co...
AI agents invoke mutation_dry_run to trigger actions in Postgres. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
Although the tool uses ROLLBACK to prevent persistence, it executes real INSERT/UPDATE/DELETE SQL commands within a transaction, making it an Execute category tool. The ability to run arbitrary mutations with side effects that are only reverted post-execution—and to inspect actual error conditions and affected rows—means an AI agent could use this to explore destructive operations or test malicious mutations.
From the tool's definition The tool 'mutation_dry_run' "Execute[s] INSERT/UPDATE/DELETE in dry-run mode" and "actually runs the SQL within a transaction," with capability to "capture REAL results (exact row counts, actual errors, before/after data)." This constitutes execution of…
Attacks that exploit this kind of access
Execute INSERT/UPDATE/DELETE in dry-run mode - actually runs the SQL within a transaction, captures REAL results (exact row counts, actual errors, before/after data), then ROLLBACK so nothing persists. More accurate than mutation_preview. Use this to verify mutations will work correctly before committing. Returns detailed PostgreSQL error info (code, constraint, hint) on failure. Optionally use server/database/schema params for one-time execution on a different server. It is categorised as a Execute tool in the Postgres MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Postgres MCP server in PolicyLayer and add a rule for mutation_dry_run: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Postgres. Nothing to install.
mutation_dry_run is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the mutation_dry_run rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for mutation_dry_run. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
mutation_dry_run is provided by the Postgres MCP server (teja-sudo/postgres-mcp-server). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →